Oracle8
Enterprise Edition Getting Started
Release 8.0.5 for Windows NT A64416-01 |
|
This chapter describes how to authenticate Oracle8 database
users with Windows NT.
Specific topics discussed are:
The Oracle8 database can use information maintained by Windows NT to authenticate database users. The benefits of Windows NT authentication include:
The Windows NT Native Authentication Adapter (automatically
installed with Net8 Server and Net8 Client) enables database user authentication
through Windows NT. This enables client computers to make secure connections
to an Oracle8 database on a Windows NT server. A secure connection is when
a Windows NT client user name is retrieved on a Windows NT server through
the Windows NT Native Authentication Adapter. The Windows NT server then
permits the user name to perform the database actions on the server.
The Windows NT Native Authentication Adapter provides database users with the following privileges:
Each connection privilege is described in this chapter.
This section describes how to authenticate nonprivileged
database users (nondatabase administrators) using Windows NT so that a
password is not required when accessing the database. When you use Windows
NT to authenticate nonprivileged database users, your database relies solely
on Windows NT to restrict access to database user names. In the steps below,
the following Windows NT user names are authenticated:
The local and domain user name FRANK and the domain SALES
are used in the steps below. Substitute the appropriate local and domain
user name and domain name for your environment.
Follow the steps below to connect without a password as a nonprivileged database user:
To perform authentication tasks on an Oracle8 database server:
The OS_AUTHENT_PREFIX value is prefixed to local or domain user names attempting to connect to the server with the user's operating system name and password. The prefixed user name is compared with the Oracle user names in the database when a connection request is attempted. Using the OS_AUTHENT_PREFIX parameter with the Windows NT Native Authentication Adapter is the recommended method for performing secure, trusted client connections to your server.
The parameter value XYZ is used in the steps below. Substitute XYZ with the value you set for OS_AUTHENT_PREFIX.
C:\> REGEDT32
The Add Value dialog box appears:
The String Editor dialog box appears:
TRUE enables the server to differentiate between multiple FRANK user names, whether they are local user FRANK, domain user FRANK on SALES, or domain user FRANK on another domain in your network. Entering FALSE causes the domain to be ignored and local user FRANK to become the default value of the operating system user returned to the server.
The Registry Editor adds the parameter.
The registry exits.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> REGEDT32
The Add Value dialog box appears:
The String Editor dialog box appears:
TRUE causes the server to only accept connections from nonprivileged users who are a member of the ORA_USER or ORA_SID_USER Windows NT local group.
The Registry Editor adds the parameter.
The registry exits.
The New Local Group dialog box appears.
Local Group | This Local Group Includes... |
---|---|
ORA_USER |
Unprivileged database users; applicable for all SIDs. |
ORA_SID_USER |
Unprivileged database users; applicable only for the SID specified in the name. |
For this example, the SID entered is ORCL:
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
C:\> SVRMGR30
SVRMGR> CONNECT SYSTEM/PASSWORD
Unless you have changed it, the SYSTEM password is MANAGER by default.
If Authenticating a... | Then Enter... |
---|---|
Local user name |
SVRMGR> CREATE USER XYZFRANK IDENTIFIED EXTERNALLY; |
Domain user name |
SVRMGR> CREATE USER "XYZSALES\FRANK" IDENTIFIED EXTERNALLY; |
If Authenticating a... | Then Enter... |
---|---|
Local user name |
SVRMGR> GRANT RESOURCE TO XYZFRANK; |
|
SVRMGR> GRANT CONNECT TO XYZFRANK; |
Domain user name1 |
SVRMGR> GRANT RESOURCE TO "XYZSALES\FRANK"; |
|
SVRMGR> GRANT CONNECT TO "XYZSALES\FRANK"; |
1 Enter the syntax for domain users in uppercase and with double quotes around the domain user name. |
SVRMGR> CONNECT INTERNAL/PASSWORD
SVRMGR> SHUTDOWN
SVRMGR> STARTUP
This causes the change to the OS_AUTHENT_PREFIX parameter value to take effect.
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SVRMGR30
SVRMGR> CONNECT /@SERVICE_NAME
where SERVICE_NAME is the Net8 service name for the
Oracle8 database that you created in Step 3.
The Oracle8 database searches the data dictionary for an automatic login user name corresponding to the Windows NT local or domain user name, verifies it, and allows you to connect as XYZFRANK or XYZSALES\FRANK.
SVRMGR> SELECT * FROM USER_ROLE_PRIVS;
which outputs for local user FRANK:
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZFRANK CONNECT NO YES NO XYZFRANK RESOURCE NO YES NO 2 rows selected.
or, for domain user FRANK:
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZSALES\FRANK CONNECT NO YES NO XYZSALES\FRANK RESOURCE NO YES NO 2 rows selected.
As the Oracle8 user name is the whole name XYZFRANK or XYZSALES\FRANK, all objects created by XYZFRANK or XYZSALES\FRANK (that is, tables, views, indexes, and so on) are prefixed by this name. For another user to reference the table SHARK owned by XYZFRANK, for example, the user must enter:
SVRMGR> SELECT * FROM XYZFRANK.SHARK
Attention:
Automatic authorization is supported for all Net8 protocols. |
This section describes how to enable Windows NT to grant the SYSOPER and SYSDBA privileges to DBAs. This enables DBAs to issue the following commands from a client computer and connect to the Oracle8 database without entering a password:
To enable this feature, the Windows NT local or domain user
name of the client must belong to one of the following four Windows NT
local groups on the server:
The SYSOPER and SYSDBA privileges are mapped to the following
Windows NT local groups:
This Privilege... | Maps to the Local Group... |
---|---|
SYSOPER |
ORA_SID_OPER, ORA_OPER |
SYSDBA |
ORA_SID_DBA, ORA_DBA, ORA_SID_OPER, ORA_OPER |
Follow the steps below to connect as SYSOPER or SYSDBA without a password:
Note: Use Server Manager to connect as SYSOPER or SYSDBA without a password. SQL*Plus and the Oracle Enterprise Manager applications cannot be used for this type of connection. |
To perform authentication tasks on the Oracle8 database server:
The New Local Group dialog box appears.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SVRMGR30
SVRMGR> SET INSTANCE SERVICE_NAME
where SERVICE_NAME is the Net8 service name for the Oracle8 database that you created in Step 3.
If The Local Group Is... | Then Enter... |
---|---|
ORA_DBA or ORA_SID_DBA |
SVRMGR> CONNECT / AS SYSOPER |
|
or |
|
SVRMGR> CONNECT / AS SYSDBA |
ORA_OPER or ORA_SID_OPER |
SVRMGR> CONNECT / AS SYSOPER |
You are connected to the Windows NT server. If you connect with SYSDBA, you are given DBA privileges.
This section describes how to connect as INTERNAL without
a password. To do this, you must create one of the following new local
Windows NT user groups and add a Windows NT operating system local or domain
user to that group:
This enables you to log into a local computer or a Windows
NT domain. In the domain, your Oracle8 database is just one of many resources
to which you have access. Once you access this domain, you are automatically
validated as an authorized DBA who can access the Oracle8 database without
a password.
Follow the steps below to connect as INTERNAL without a password:
To perform authentication tasks on the Oracle8 database server:
Note: REMOTE_LOGIN_PASSWORDFILE can also be set to SHARED. However, to perform secure, trusted operating system-authenticated connections, it is recommended that you set this parameter to NONE. |
SQLNET.AUTHENTICATION_SERVICES = (NTS)
The New Local Group dialog box appears.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
SVRMGR> CONNECT INTERNAL/PASSWORD
SVRMGR> SHUTDOWN
SVRMGR> STARTUP
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SVRMGR30
SVRMGR> SET INSTANCE SERVICE_NAME
where SERVICE_NAME is the Net8 service name for the Oracle8 database that you created in Step 3.
SVRMGR> CONNECT INTERNAL
You are connected to the Windows NT server.
This section describes how to grant Oracle8 database roles
to users directly through Windows NT. When you use Windows NT to authenticate
users, Windows NT local groups can grant these users database roles. Through
User Manager, you can create, grant, or revoke database roles to users.
Follow the steps below to grant database roles with Windows NT:
To perform authentication tasks on the Oracle8 database server:
The default setting for this parameter is FALSE.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
SVRMGR> CREATE ROLE DBSALES3 IDENTIFIED EXTERNALLY;
where DBSALES3 is the name of the role for these steps. Substitute a role name appropriate to your database environment.
SVRMGR> GRANT DBA TO DBSALES3 WITH ADMIN OPTION; SVRMGR> GRANT RESOURCE TO DBSALES3 WITH ADMIN OPTION; SVRMGR> GRANT CONNECT TO DBSALES3 WITH ADMIN OPTION;
SVRMGR> CONNECT INTERNAL/PASSWORD
SVRMGR> SHUTDOWN
SVRMGR> STARTUP
The New Local Group dialog box appears:
ORA_SID_ROLENAME [_D] [_A]
SID | Indicates the database instance. |
ROLENAME | Identifies the database role granted to users of a database session. |
D | Optional character indicating that this database role is to be the default role of the database user. If specified, this character must be preceded by an underscore. |
A | Optional character indicating that this database role includes the ADMIN OPTION. This enables the user to grant the role to other roles only. If specified, this character must be preceded by an underscore. |
For this example, ORA_ORCL_DBSALES3_D is entered.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
You can convert additional database roles to several possible
Windows NT groups, as shown in the following table. Then, users connecting
to the ORCL instance in this example and authenticated by Windows NT as
members of these Windows NT local groups have the privileges associated
with DBSALES3 and DBSALES4 by default (because of the _D option). DBSALES1
and DBSALES2 are available for use by the user if they first connect as
members of DBSALES3 or DBSALES4 and use the SET ROLE command. If a user
tries to connect with DBSALES1 or DBSALES2_A without first connecting with
a default role, they are unable to connect. Additionally, users can grant
DBSALES2 and DBSALES4 to other roles.
Database Roles | Windows NT Groups |
---|---|
DBSALES1 |
ORA_ORCL_DBSALES1 |
DBSALES2 |
ORA_ORCL_DBSALES2_A |
DBSALES3 |
ORA_ORCL_DBSALES3_D |
DBSALES4 |
ORA_ORCL_DBSALES4_DA |
Note: When the Oracle8 database converts the group name to a role name, it changes the name to uppercase. |
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SVRMGR30
SVRMGR> SET INSTANCE SERVICE_NAME where SERVICE_NAME is the Net8 service name for the Oracle8 database that you created in Step 3.
SVRMGR> CONNECT SCOTT/TIGER
You are connected to the Windows NT server over Net8 with the Oracle user name SCOTT/TIGER. The roles applied to the Oracle user name SCOTT consist of all roles defined for the Windows NT user name that were mapped to the database roles above (in this case, ORA_DBSALES3_D). All roles available under an authenticated connection are determined by the Windows NT user name and the Oracle-specific Windows NT local groups to which the user belongs (for example, ORA_SID_DBSALES1 or ORA_SID_DBSALES4_DA).